No subject

After seeing a lot of NetBIOS node-status probes in my firewall logs,
I discovered that many NT servers apparently do a reverse DNS lookup
by sending a NetBIOS node-status query. This is documented at:
http://support.microsoft.com/support/kb/articles/Q154/5/53.ASP
Chris.
-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Bill
Pennington
Sent: Wednesday, December 13, 2000 11:01 AM
To: Dr SuSE
Cc: Snort Users
Subject: Re: [Snort-users] RFC1918 traffic
I believe the traffic you are seeing is due to a bug in Windows name
resolution. If an NT machine tries to resolve an IP address it tries
DNS, then WINS. In the case of a dual homed machine this also causes the
machine to send Netbios resolution packets from all interfaces. This is
most likely what you encountered. I can't find the MS article on this
issue at the moment.
I have been thinking about writing something that would force a machine
with this bug to give up internal IP addresses but have not had time to
pursue it.
Dr SuSE wrote:
>> At the place of my current employment one of my tasks is to review alerts
sent
> to me our firewall and from that information I'm expected to determine
what
> would be hackers are up to without having access to the full firewall
logs.
>> Yesterday I got an alert and noticed something was not right. Packets
were
> being dropped which had a source IP of 192.168.0.1 Here is the alert sent
to
> me.
> ===================================
> 11Dec2000 18:21:07 drop firewall > btlan01 useralert proto tcp src
192.168.0.1
> dst machine.my.domain.com service port135 s_port 1047 len 48 rule 44
> ====================================
>> There are a total of three of these and they are all identical and all
came in
> within a few seconds of each other.
>> I talked to Marty about this last night on #snort and he provided much
help as
> to how an RFC1918 IP could show up on the Internet side of the firewall.
> Thanks again for the info Marty.
>> So, last night I wrote a rule to detect TCP,ICMP and UDP traffic from
RFC1918
> IP's. I'm not sure how useful the rules will be but I figured I'd share
the
> info and maybe get some feedback from the rest of you Snort users and in
the
> process learn something. I'm sorry I dont have any more information other
than
> the email alert but that's all I have access to.
>> Anyway, to the rules.
>> In snort.conf I created a variable which has the value of the private IP's
as
> specified by RFC 1918
>> var RFC1918 [10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]
>> Then in the rules file I simply added these rules.
>> alert TCP $RFC1918 any -> $INTERNAL any (msg: "TCP Traffic from RFC1918
IP";)
> alert UDP $RFC1918 any -> $INTERNAL any (msg: "UDP Traffic from RFC1918
IP";)
> alert ICMP $RFC1918 any -> $INTERNAL any (msg: "ICMP Traffic from RFC1918
IP";)
>> ---------------------------------------------
> Microsoft ist nicht installiert.
>http://www.drsuse.org/>> _______________________________________________
> Snort-users mailing list
>Snort-users at lists.sourceforge.net> Go to this URL to change user options or unsubscribe:
>http://lists.sourceforge.net/mailman/listinfo/snort-users
--
Bill Pennington - CISSP
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/mailman/listinfo/snort-users